On Tue, 15 Sep 2015, Jake Mertel wrote:
Reading through the article @ https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.htm..., I'm lead to believe that the process(s) they overwrite are selected to cause no impact to the device. Relevant excerpt:
### Malware Executable Code Placement
To prevent the size of the image from changing, the malware overwrites several legitimate IOS functions with its own executable code. The attackers will examine the current functionality of the router and determine functions that can be overwritten without causing issues on the router. Thus, the overwritten functions will vary upon deployment. ###
So, if the device in question isn't using OSPF, then the malware may overwrite the code for the OSPF process, allowing them to A) infect the device; B) cause no disruption to the operational state of the device (since, presumably, OSPF isn't going to be turned on); and C) keep the image firmware file size the same, preventing easy detection of the compromise.
That explains why on my home IOS router either IPsec works properly or 802.11, but never both :) ~Marcin